A firewall is usually a special service software running on top of a single computer to protect the internal network of many computers, which makes the enterprise's network planning clear, it can identify and shield illegal requests, and effectively prevent data access across permissions. It can be either a very simple filter or a well-designed gateway, but they all have the same principle of monitoring and filtering the exchange of information between all internal and external networks.
In the market, the price of the firewall is extremely disparity, from tens of thousands of yuan to hundreds of thousands of yuan, even to million yuan. Because each enterprise user's security degree is different, therefore the product which the manufacturer launches also has the distinction, even some companies also introduced the similar modular function product, meets each kind of different enterprise's safety request.
When a business or organization decides to adopt a firewall to implement security policies to defend its internal network, the next thing to do is to choose a safe, affordable, and appropriate firewall. So in the face of such a wide range of firewall products, users need to consider what factors? How should you make a choice?
The first element: The basic function of the firewall
Firewall system can be said to be the first line of defense network, so an enterprise in the decision to use a firewall to protect the security of the internal network, it first needs to understand a firewall system should have the basic functions, this is the user to choose the firewall product basis and premise. A successful firewall product should have the following basic features:
The design strategy of the firewall should follow the basic principle of safety precaution--"unless expressly permitted, otherwise prohibit"; The firewall itself supports security policies, not additions; If the organization's security policy changes, you can add new services; With advanced authentication means or hook procedures, you can install advanced authentication methods. And, if necessary, the use of filtration technology to allow and prohibit services; You can use service proxies such as FTP and Telnet so that advanced authentication methods can be installed and run on the firewall; an interface-friendly, easily programmable IP filtering language, and packet filtering based on the nature of the packet, The nature of the packet is target and source IP address, protocol type, source and destination TCP/UDP port, TCP packet ack bit, outbound and inbound network interface, etc.
If users need services such as NNTP (Network Message Transfer Protocol), Xwindow, HTTP, and Gopher, the firewall should contain the appropriate agent service program. Firewalls should also have the ability to centralize messages to reduce direct connections between SMTP servers and external servers, and to centralize e-mail throughout the site. Firewalls should allow public access to the site, separating the information server from the other internal servers.
Firewalls should be able to centralize and filter dial-in access, and can record network traffic and suspicious activity. In addition, to make the log readable, the firewall should have the ability to streamline logging. While it is not necessary to have the operating system of the firewall and the operating system used internally by the company, running an administrator-familiar operating system on a fire wall makes management easier. The strength and correctness of the firewall should be validated and designed to be as simple as possible for the administrator to understand and maintain. Firewalls and corresponding operating systems should be upgraded with patches and must be upgraded on a regular basis.
As mentioned earlier, the Internet is changing all the time, and new vulnerable points are likely to occur at any moment. When new hazards arise, new services and upgrades may create potential resistance to the installation of firewalls, so it is important that the firewall be adaptable.
The second factor: the special requirements of enterprises
There are often special requirements in enterprise security policies that are not provided by every firewall, and this often becomes one of the considerations for choosing a firewall, and the common requirements are as follows:
1, network address translation function (NAT)
There are two benefits to address translation: One is to hide the real IP of the internal network, which can make the hacker can't attack the internal network directly, this is the reason why I should emphasize the security of the firewall itself. Another benefit is that you can use reserved IP internally, which is good for many IP-poor businesses.
2, dual DNS
When an internal network uses an IP address that is not registered, or firewall for IP conversion, DNS must also be converted, because the same host in the internal IP and give the outside IP will be different, some firewalls will provide dual DNS, and some must install a DNS on different hosts.
3. Virtual private Network (VPN)
A VPN can encrypt the contents of all network transmissions between a firewall and a firewall or mobile client, creating a virtual channel in which both senses are securely and freely accessible to each other on the same network.
4. Anti-Drug function
Most firewalls can be paired with anti-virus software to achieve anti-drug functions, and some firewalls can directly integrate anti-drug function, the difference is that the anti-drug work is done by the firewall, or by another dedicated computer.
5. Special control requirements
Sometimes enterprises have special control requirements, such as restricting specific users to send email,ftp can only download files can not upload files, limit the number of users at the same time, limit the use of time or blocking Java, ActiveX control, depending on the needs of different.
The third element: the integration with the user network
1. Ease of management
The difficulty of firewall management is one of the main factors that can achieve the goal of firewall. The reason why the general enterprises rarely use the existing network equipment directly as a firewall, in addition to the previously mentioned packet filtering, and can not achieve complete control, set work difficulties, must have complete knowledge and difficult to debug and other management issues, but also the general enterprise is unwilling to be used by the main reasons.
2, the security of their own
Most people in the selection of firewalls are focused on how the firewall control the connection and how many services the firewall supports, but often overlooked a point, the firewall is also one of the hosts on the network, there may be security problems, if the firewall can not ensure its own security, the firewall control function again strong, Can not completely protect the internal network eventually.
Most firewalls are installed on a typical operating system, such as UNIX, NT systems, and so on. In addition to firewall software in the firewall host, all the programs, the core of the system, also mostly from the original operating system itself. The firewall itself is also threatened when a security breach occurs on the software that is executing on the firewall host. At this point, any firewall control mechanism may fail, because when a hacker gets control over the firewall, the hacker can almost do anything to modify the access rules on the firewall, and then invade more systems. Therefore, the firewall itself should be quite high security protection.
3. Perfect after-sale Service
We believe that users in the purchase of firewall products, in addition to the above features from the above considerations, you should also pay attention to the good firewall should be the enterprise's overall network protector, and can make up for other operating system deficiencies, so that the security of the operating system will not affect the overall security of the enterprise network Firewalls should be able to support multiple platforms, because the user is the complete controller, and the user's platform is often diverse, and they should choose a set of firewall products that meet the needs of the existing environment. Due to the emergence of new products, there will be someone to study new methods of cracking, so good firewall products should have perfect and timely after-sale service system.
4, the complete security check
A good firewall should also provide users with a complete security check function, but a secure network must still rely on the user's observation and improvement, because the firewall can not effectively eliminate all malicious packets, enterprises want to achieve real security still need internal personnel constantly record, improve, tracking. Firewalls can restrict the connection to only legitimate users, but there are cases where illegal use of legal cover still relies on managers to find out.
5, the combination of user situation
When choosing a firewall, users should consider the following factors from their own:
The extent to which the network is threatened, the potential loss that an intruder will suffer if it breaks into the network, other security measures that have been used to protect the network and its resources, the loss of the entire organization due to hardware or software failure, or a denial of service attack by the firewall, resulting in a user's inability to access The services that organizations want to provide to the Internet, the number of services that they want to get from the Internet, and how many users can pass through the firewall at the same time, whether the network has an experienced administrator, and possible future requirements, such as increasing network activity through the firewall or requiring new Internet services.